I've taken both classes, passed the GPEN, going on for the GWAPT in the next few weeks.

As far as the content goes Sec542 was harder for me. I never did web development in the past so some of the attacks were new things, for instance attacking/enumerating SOAP web services. i dont see it as much more difficult though.

The GWAPT test was harder than GPEN test. Part of it is that web pen testing is about nuance where many of the things on GPEN are more straight forward. An app is either vulnerable or it's not, where an XSS or SQL injection can look a number of ways. We covered Nessus in GPEN, there are 4 or 5 scanners used for GWAPT. It's the little things that will get you. I thought the GWAPT class was harder than the GPEN class too. I think that part of that is due to the fact that Ed Skoudis is a badass when it comes to course devel. His courses have a great flow to them, and Ed is an excellent educator. Kevin's class, the web app pen testing class, is very good but the information doesn't have as much of a flow to it. It is still an excellent class, but the material that has to be covered can't really have as much of a natural flow to it.

This is more forward than I normally am, but take 560 (GPEN) before you take 542 (GWAPT) I think, the GPEN will get you the business knowledge and the GWAPT covers more skills type things. Once you're thinking like a pen tester business and skills wise, the GWAPT will go better. GWAPT was a kick ass class though, and you will learn great stuff. I haven't seen any course material out there that covers what GWAPT covers as well as it covers it.

Dark_Knight wrote:For the guys who say the GWAPT was harder than the GPEN, what is your background? Is it in development/programming or network admin stuff?

Both, I program in c/c++/php/perl/python/ruby/lua predominantly but am not a true developer. The reason the web stuff is harder course wise is that there is much more subtlety to what you are doing. Do you need a ' or a " when you are doing a specific injection. What happens when the script upper cases every command you type for command injection (unix doesn't like that much). Those sort of things you don't have to deal with as much in the network pen testing classes.

That said, I should say if you have no programming background at all, you may find 542 even more challenging. There are days in there to teach basic scripting, but you will be slower than your counterparts who have some very basic experience in programing/scripting. That said, you don't have to have programming knowledge to take the course, you will do ok without it, but you will have to work harder.

Dark_Knight wrote:For the guys who say the GWAPT was harder than the GPEN, what is your background? Is it in development/programming or network admin stuff?

Both, I program in c/c++/php/perl/python/ruby/lua predominantly but am not a true developer. The reason the web stuff is harder course wise is that there is much more subtlety to what you are doing. Do you need a ' or a " when you are doing a specific injection. What happens when the script upper cases every command you type for command injection (unix doesn't like that much). Those sort of things you don't have to deal with as much in the network pen testing classes.

That said, I should say if you have no programming background at all, you may find 542 even more challenging. There are days in there to teach basic scripting, but you will be slower than your counterparts who have some very basic experience in programing/scripting. That said, you don't have to have programming knowledge to take the course, you will do ok without it, but you will have to work harder.

I follow you. I come from a programming background and am currently doing the GWAPT via SansOndemand. Great stuff so far. Kevin Johnson is hilarious